272249 - LXR error reveals server configurations and versions

Status: RESOLVED WORKSFORME

(Webtools Graveyard :: MXR, defect)

Description

[bulk88]

User-Agent:       Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Build Identifier: 

Went to thios page, got an error. It reveals under the hood stuff about the 
site, and what perl version is runs. The version (5.6.x) seems old to me (maybe 
b/c I am a newbie), so it could be a security risk.

Reproducible: Always
Steps to Reproduce:
1. goto http://lxr.mozilla.org/seamonkey/ident?i=this 
2.
3.

Comment 1

[Asa Dotzler [:asa]]

This is not a bug. I'm quite sure that the server intentionally advertises this
information. 

-> Myk.

Comment 2

[Daniel Veditz [:dveditz] (OOO: back Aug 26)]

Confirming the error message. Not sure this is serious problem requiring the
confidential flags, but switching from the general security flag to the more
appropriate webtools security flag.

Comment 3

[Dave Miller [:justdave]]

It's common knowledge that we run RHEL, and those are the standard paths for
those files on RHEL, so it's not exposing any information anyone wouldn't know
anyway.

That said, I'm not a big fan of the whole "security by obscurity" thing, we're
better off making sure the system can't be broken into for them to have the
chance to use it.

Comment 4

[Dave Miller [:justdave]]

(moved to LXR because the fact those error messages are showing up is an LXR bug)

Comment 5

[Reed Loden [:reed]]

I don't see anything server-related when I go to http://lxr.mozilla.org/seamonkey/ident?i=this

Is this still an issue?

Comment 6

[Reed Loden [:reed]]

This error isn't showing up any more, and this isn't really a security issue. Closing out.